I was looking through the source of one of the WordPress sites I own the other day and made a rather curious discovery.
Apparently W3 Total Cache (a plugin I only use on two sites as it works better with Memcached) had “Debug” turned on for all types of caching and was printing as HTML comments a lot of info about the site:
I was fairly intrigued about this so I checked further and noticed that the debug was dumping both table names and database contents as part of database queries being executed:
I went into the W3 Total Cache panel and noticed that everything was enabled, despite the fact that I don’t remember enabling it myself:
I’ve obviously disabled it as soon as I found out, but just in case you’re running sites with debug enabled you should go ahead and disable it as soon as possible since otherwise you risk exposing critical information about your setups and this could easily aid in SQL injection attacks.